CVE-2025-27602

low-risk

Published 2025-03-11

Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9 and 13.7.1, via manipulation of backoffice API URLs, it's possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to. The issue is patched in versions 10.8.9 and 13.7.1. No known workarounds are available.

Do I need to act?

0.12% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.9/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Umbraco Cms

Affected Vendors

Umbraco

References (3)

Patch https://github.com/umbraco/Umbraco-CMS/commit/5b54bed406682ceff57903bf7d3c57814e...

Patch https://github.com/umbraco/Umbraco-CMS/commit/7888b9a4ce5ae7f9bda7ff3bb705b8fcd2...

Patch https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wx5h-wqfq-v698

/ 100

low-risk

Severity 16/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal